Query Details
Execution Batch Git Abuse
Query
# Rule : Batch Script Driven Git History Manipulation
## Description
Detects batch or command scripts invoking chained Git history rewrite operations, including commit amendment, verification bypass, force push, and local identity changes. This is useful for identifying attacker automation tooling in Windows developer environments.
## Detection Logic
This detection looks for:
- `.bat` or `.cmd` execution
- Git amend / push / config patterns
- optional date/time manipulation in the same command line
## Relevant Tables
- `DeviceProcessEvents`
## Search Query
```kql
DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any (".bat", ".cmd")
| where ProcessCommandLine has_any ("git commit --amend", "git push -f", "--no-verify", "git config --local")
or ProcessCommandLine has_any ("date ", "time ")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, SHA1
| order by Timestamp desc
```
## False Positive Tuning
- Exclude sanctioned release or migration scripts after verification.
- Review path allowlists carefully; avoid broad exclusions for developer script folders.
- Prioritize scripts executed from repository roots, temp directories, downloads, or user profile paths.
## Triage Steps
1. Retrieve and review the batch file contents.
2. Identify whether it captures Git metadata, changes time, amends commits, or force pushes.
3. Determine which repositories and branches were affected.
4. Check whether the script executed shortly before suspicious repository changes or malware execution.
5. Review parent-child process chains for developer IDEs, shells, or automation frameworks.
## Investigation Notes
- High concern when scripts restore original time after amending commits.
Explanation
This query is designed to detect potentially malicious activities in Windows developer environments by identifying batch or command scripts that manipulate Git history. Here's a simplified breakdown:
-
Purpose: The query aims to find scripts that perform Git operations like amending commits, bypassing verifications, force-pushing changes, or altering local Git configurations. These actions could indicate automated tools used by attackers.
-
Detection Criteria:
- The query looks for the execution of batch files (
.bat) or command scripts (.cmd) usingcmd.exeorpowershell.exe. - It searches for specific Git commands in the script, such as
git commit --amend,git push -f,--no-verify, andgit config --local. - It also checks for any date or time manipulation commands in the same script.
- The query looks for the execution of batch files (
-
Data Source: The query uses the
DeviceProcessEventstable to find relevant process events. -
Output: The query returns details like the timestamp, device name, account name, file name, command line used, and other process-related information, sorted by the most recent events.
-
False Positives: To reduce false positives, the query suggests excluding verified scripts used for legitimate purposes, such as sanctioned releases or migrations. It advises careful review of paths to avoid excluding too broadly.
-
Triage Steps: If a suspicious script is detected, the next steps include:
- Reviewing the script's content.
- Checking if it captures Git metadata or performs actions like time changes, commit amendments, or force pushes.
- Identifying affected repositories and branches.
- Investigating if the script ran before any suspicious changes or malware activity.
- Analyzing the process chain to see if it was initiated by developer tools or automation frameworks.
-
Investigation Notes: Special attention is needed if a script restores the original time after amending commits, as this could indicate an attempt to cover tracks.
Details
Ali Hussein
Released: April 1, 2026
Tables
Keywords
Operators